technical factsheet 176

Size: px
Start display at page:

Download "technical factsheet 176"

Transcription

1 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection principles 2 5. The rights of individuals 3 6. Information security 3 7. Sending personal data outside the European Economic Area 3 8. The conditions for processing 4 9. The rights of individuals The right to object to processing The right to prevent direct marketing Rights relating to automated decision taking Rights relating to inaccurate personal data The right to compensation Exemptions Rules on use of Cookies and Similar Technologies 7 This technical factsheet is for guidance purposes only. It is not a substitute for obtaining specific legal advice. Whilst every care has been taken with the preparation of the technical factsheet neither ACCA nor its employees accept any responsibility for any loss occasioned by reliance on the contents. 1. INTRODUCTION The Data Protection Act 1998 came into force on 1 March 2000 and replaced the Data Protection Act The Act sets out rules for processing personal information, places obligations on those who process information and gives rights to those who are the subject of that data. 2. REGISTER WITH THE INFORMATION COMMISSIONER S OFFICE Every organisation that processes personal information in an automated form must notify the Information Commissioner s Office (ICO) unless they are exempt. Failure to notify is a criminal offence. Register entries should be renewed annually, failure to renew when required to do so is also a criminal offence. The Act provides an exemption from notification for some organisations. The exemption is available for: 1. organisations that process personal data only for: (a) staff administration (including payroll) (b) advertising, marketing and public relations (in connection with their own business activity) (c) accounts and records 2. some not-for-profit organisations 3. organisations that process personal data only for maintaining a public register 4. organisations that do not process personal information on computer 5. individuals who process personal data only for domestic purposes. Data controllers who are exempt from notification must comply with the other provisions of the Act, and may choose to notify voluntarily. The following is a link to the ICO website which explains whether or not there is a need to notify and how to do so, which includes specific guidance on notification for data controllers for not-for-profit organisations, barristers chambers and pension trust schemes:

2 The Data Protection Act protects the rights of individuals whom the data is about, mainly by placing duties on those who decide how and why such data is processed ( data controllers ). A data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A data controller must be a person recognised in law, that is to say: (i) individuals (ii) organisations (iii) other corporate and unincorporated bodies of persons. Data controllers will usually be organisations, but can be individuals, for example self-employed consultants. Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller. A data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Data controllers remain responsible for ensuring their processing complies with the Act, whether they do it in-house or engage a data processor. Where roles and responsibilities are unclear, they will need to be clarified to ensure that personal data is processed in accordance with the data protection principles. For these reasons organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing. The ICO have published a good-practice note on Outsourcing: a guide for small and medium-sized businesses which gives more advice about using data processors, which can be found at: n_2.1_ pdf 3. PERIOD PROTECTION RIGHTS AND DUTIES REMAIN EFFECTIVE The duties under the Act apply throughout the period when personal data is being processed, as do the rights of individuals in respect of that personal data. The Act must be complied with from the moment the data is obtained until the time when the data has been returned, deleted or destroyed. The duties extend to the way the personal data is destroyed when it no longer needs to be kept. The data must be disposed of securely and in a way which does not prejudice the interests of the individuals concerned. Changes in an organisation s circumstances do not reduce an individual s rights under the Act, however responsibility for ensuring this happens may shift, depending on the circumstances. For example if a company goes into administration, control of the company s assets (including the customer database) passes from the board of directors to the administrators, who decide to sell some of the assets. As the administrators now control the purpose and manner in which the database is used, they become data controllers in respect of the personal data it contains. The administrators must comply with the Data Protection Act in connection with any possible sale of the customer database. 4. THE DATA PROTECTION PRINCIPLES Schedule 1 to the Data Protection Act lists the data protection principles in the following terms: 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 2

3 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 5. THE RIGHTS OF INDIVIDUALS The Act gives rights to individuals in respect of the personal data that organisations hold about them. The rights of individuals that it refers to are: 1. A right of access to a copy of the information comprised in their personal data 2. A right to object to processing that is likely to cause or is causing damage or distress 3. A right to prevent processing for direct marketing 4. A right to object to decisions being taken by automated means 5. A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed 6. A right to claim compensation for damages caused by a breach of the Act. 6. INFORMATION SECURITY There must be appropriate security to prevent the personal data which is held from being accidentally or deliberately compromised in particular the following should occur: 1. Design and organise security to fit the nature of the personal data being held and the harm that may result from a security breach 2. Be clear about who in the organisation is responsible for ensuring information security 3. Ensure the organisation has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff 4. Be ready to respond to any breach of security swiftly and effectively. If, despite the security measures taken to protect the personal data being held, a breach of security occurs, it is important to deal with the security breach effectively. Having a policy on dealing with information security breaches is another example of an organisational security measure to be taken. There are four important elements to any breach-management plan: (a) Containment and recovery the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation. (b) Assessing the risks risks associated with the breach should be assessed, as these are likely to affect what action is taken once the breach has been contained. In particular assessment should be made of the potential adverse consequences for individuals, how serious or substantial these are, and how likely they are to happen. (c) Notification of breaches informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. It should be clear who needs to be notified and why. It may be appropriate to notify the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media. (d) Evaluation and response the causes of the breach should be investigated and the effectiveness of the response to it. If appropriate the policies and procedures should be updated accordingly. 7. SENDING PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA The first principle (relating to fair and lawful processing) will in most cases require disclosure to the individuals that their personal data has been transferred to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad. 3

4 In addition to the countries in the EEA the European Commission has decided that certain countries have an adequate level of protection for personal data. Currently, the following countries are considered as having adequate protection: Andorra Argentina Canada Faroe Islands Guernsey Isle of Man Israel Jersey Switzerland Further information can be found on the ICO website at the following address: Although the United States of America (US) is not included in the European commission list, the Commission considers that personal data sent to the US under the Safe Harbor scheme is adequately protected. There is a list of the organisations signed up to the Safe Harbour arrangement on the US Department of Commerce website at: If the data protection law in a country has not been approved as adequate, it may still be possible to send personal data to that country. The sender should be satisfied that in the particular circumstances there is an adequate level of protection, such as: 1. Assess adequacy oneself 2. Use contracts, including the European Commission approved model contractual clauses 3. Use Binding Corporate Rules approved by the Information Commissioner (only applies to multinational organisations transferring information outside the EEA but within their group of companies) 4. Rely on the exceptions from the rule. The ICO have produced guidance on the points above which can be found at the following address: Model contractual clauses can be found at the following address: 8. THE CONDITIONS FOR PROCESSING The conditions for processing are set out in Schedules 2 and 3 to the Data Protection Act. Unless a relevant exemption applies at least one of the following conditions must be met whenever you process personal data: 1. The individual who the personal data is about has consented to the processing. 2. The processing is necessary: (a) in relation to a contract which the individual has entered into; or (b) because the individual has asked for something to be done so they can enter into a contract. 3. The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract). 4. The processing is necessary to protect the individual s vital interests. This condition only applies in cases of life or death, such as where an individual s medical history is disclosed to a hospital s A&E department treating them after a serious road accident. 5. The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions. 6. The processing is in accordance with the legitimate interests condition. Three requirements need to be met to qualify as a legitimate interest : 4

5 (a) The first requirement is that the information needs to be processed for the purposes of legitimate interests or for those of a third party to whom the information will be disclosed. (b) The second requirement is that these interests must be balanced against the interests of the individual(s) concerned. Where there is a serious mismatch between competing interests, the individual s legitimate interests will come first. (c) The third requirement is that the processing of information under the legitimate interests condition must be fair and lawful and must comply with all the data protection principles. There are additional conditions which must be satisfied if processing sensitive personal data, these conditions are listed in the Data Protection Act. 9. THE RIGHTS OF INDIVIDUALS Commonly referred to as subject access is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this and an individual who makes a written request and pays a fee is entitled to be: 1. Told whether any personal data is being processed 2. Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people 3. Given a copy of the information comprising the data 4. Given details of the source of the data (where this is available). On individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. On organisation receiving a subject access request may charge a fee for dealing with it. If you choose to do this, you need not comply with the request until you have received the fee. The maximum fee you can charge is 10. There are different fee structures for organisations that hold health or education records (where the maximum fee is 50, depending on the circumstances). The Act allows you to confirm two things before you are obliged to respond to a request. First, you can ask for enough information to judge whether the person making the request is the individual to whom the personal data relates. Second, you are entitled to ask for information that you reasonably need to find the personal data covered by the request. If you use a data processor, then you need to make sure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the data processor. Responsibility for complying with a subject access request lies with the data controller. The Act does not allow any extension to the 40-day time limit in cases where you have to rely on a data processor to provide the information that you need to respond. 10. THE RIGHT TO OBJECT TO PROCESSING An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question. An individual who wants to exercise this right has to put their objection in writing to the organisation concerned and state what they require that organisation to do to avoid causing damage or distress. This notice is referred to as an objection to processing or a section 10 notice. The organisation concerned must respond within 21 days of receiving the objection to processing. The response must state what the organisation intends to do and, if it intends to comply with the objection in some way, give reasons for the decision. 5

6 If the organisation decides that an objection to processing is not justified and it does not comply with it, the individual can apply to the court. The court can decide whether the objection is justified and, if necessary, order the organisation to take steps to comply. 11. THE RIGHT TO PREVENT DIRECT MARKETING Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give written notice to stop (or not to begin) using their personal data for direct marketing. Any individual can exercise this right, and the organisation must comply within a reasonable period of receiving the notice. 12. RIGHTS RELATING TO AUTOMATED DECISION TAKING The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. The Act complements this provision by including rights that relate to automated decision taking. Consequently: 1. An individual can give written notice requiring an organisation not to take any automated decisions using their personal data 2. Even if they have not given notice, an individual should be informed when such a decision has been taken 3. An individual can ask an organisation to reconsider a decision taken by automated means. Some decisions are called exempt decisions because the rights do not apply, even though they are taken using solely automated means and do significantly affect the individual concerned. Exempt decisions are: 1(a) authorised or required by legislation; or (b) taken in preparation for, or in relation to, a contract with the individual concerned; and 2(a) are to give the individual something they have asked for; or (b) where steps have been taken to safeguard the legitimate interests of the individual, such as allowing them to appeal the decision. 13. RIGHTS RELATING TO INACCURATE PERSONAL DATA Where personal data is inaccurate, the individual concerned has a right to apply to the court for an order to rectify, block, erase or destroy the inaccurate information. In addition, where an individual has suffered damage in circumstances that would result in compensation being awarded and there is a substantial risk of another breach, then the court may make a similar order in respect of the personal data in question. 14. THE RIGHT TO COMPENSATION If an individual suffers damage because an organisation has breached the Act, they are entitled to claim compensation from that organisation. This right can only be enforced through the courts. The Act allows the organisation to defend a claim for compensation on the basis that it took all reasonable care in the circumstances to avoid the breach. 15. EXEMPTIONS There are some exemptions from the Act to accommodate special circumstances. If an exemption applies, then (depending on the circumstances) the organisation will be exempt from the requirement: 1. To notify the Information Commissioner; and/or 2. To grant subject access to personal data; and/or 3. To give privacy notices; and/or 4. Not to disclose personal data to third parties. 6

7 Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for: 1. Organisations that process personal data only for: (a) Staff administration (including payroll); (b) Advertising, marketing and public relations (in connection with their own business activity); and (c) Accounts and records; 2. Some not for profit organisations; 3. Organisations that process personal data only for maintaining a public register; 4. Organisations that do not process personal information on computer. There are also exemptions from subject access from disclosure and non-disclosure and in relation to other areas. Further details and other aspects of data protection can be found on the ICO website: 16. RULES ON USE OF COOKIES AND SIMILAR TECHNOLOGIES The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the Regulations) cover the use of cookies and similar technologies for storing information, and accessing information stored, on a user s equipment such as their computer or mobile. A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to the originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user s device. The Regulations apply to cookies and also to similar technologies for storing information. Using such technologies is not prohibited by the Regulations but they do require that people are told about cookies and given the choice as to which of their online activities are monitored in this way. This guidance uses the term cookies to refer to cookies and similar technologies covered by the Regulations. Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) says: A person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. Paragraph 2 says the requirements are that the subscriber or user of that terminal equipment: (a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent. Those setting cookies must: 1. Tell people that the cookies are there, 2. Explain what the cookies are doing, and 3. Obtain their consent to store a cookie on their device. There is an exception to the requirement to provide information about cookies and obtain consent where the use of the cookie is: (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. First steps to consider to comply with these regulations would be: 1. Check what type of cookies and similar technologies you use and how you use them. 2. Assess how intrusive your use of cookies is. 3. Where you need consent decide what solution to obtain consent will be best in your circumstances. The ICO website and the following guide from the ICO gives further details on various aspects of these regulations: 7

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Compliance guide: Data protection. A practical guide to meeting your regulatory and best practice obligations

Compliance guide: Data protection. A practical guide to meeting your regulatory and best practice obligations Compliance guide: Data protection A practical guide to meeting your regulatory and best practice obligations Contents Introduction 3 5 Principle 1: Data must be fairly and lawfully processed 4 5 Principle

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Data Transfer Policy London Borough of Barnet

Data Transfer Policy London Borough of Barnet London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

A list of CIArb subsidiaries relevant to this notice and their activities is set out below.

A list of CIArb subsidiaries relevant to this notice and their activities is set out below. CHARTERED INSTITUTE OF ARBITRATORS DATA PRIVACY NOTICE INTRODUCTION This data protection notice explains what personal data will be collected by the Chartered Institute of Arbitrators and its subsidiary

More information

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Summary of Data Protection Requirements When transferring Data Outside the UK End Users Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation

More information

Cloud computing and the legal framework

Cloud computing and the legal framework Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

The Guide to Data Protection. The Guide to Data Protection

The Guide to Data Protection. The Guide to Data Protection The Guide to Data Protection Contents Introduction 1 Key definitions of the Data Protection Act 4 The Data Protection Principles 19 1. Processing personal data fairly and lawfully (Principle 1) 20 2. Processing

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

ACCESS TO MEDICAL RECORDS. By Felicia Jolaoye Blavo & Co Solicitors Ltd.

ACCESS TO MEDICAL RECORDS. By Felicia Jolaoye Blavo & Co Solicitors Ltd. ACCESS TO MEDICAL RECORDS. Dorset Healthcare NHS Foundation Trust v MH (2009) : A full disclosure of all relevant material should generally be given and should not present a problem in the vast majority

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

The Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation

The Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation The Impact on Marketing-Related Activities of the Data Protection Audience 1. This guidance is intended for all University staff who maintain or use database of contacts for marketing purposes, including

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Protection Act a more detailed guide

Data Protection Act a more detailed guide Data Protection Act a more detailed guide What does the Act do? The Data Protection Act 1998 places considerable duties on organisations which process personal data; increases the rights of access by data

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Access to Information: Data Protection and Freedom of Information

Access to Information: Data Protection and Freedom of Information Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

DATA PROTECTION MANUAL

DATA PROTECTION MANUAL DATA PROTECTION MANUAL VERSION TABLE Version Date Published CO Circular 1 September 2008 3 July 2015 July 2015 2 CONTENTS Part A: General Guidance 1 Introduction to the Data Protection Act 1998 5 2 The

More information

On the edge Lexis PSL Restructuring & Insolvency

On the edge Lexis PSL Restructuring & Insolvency On the edge Lexis PSL Restructuring & Insolvency Data protection law for insolvency practitioners November 2014 Welcome to your third edition of On the edge, a series of guides highlighting a selection

More information

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

INTERNATIONAL SOS. Data Protection Policy. Version 1.05 INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection Acts 1988 and 2003: Informal Consolidation

Data Protection Acts 1988 and 2003: Informal Consolidation Page 1 of 55 Data Protection Acts 1988 and 2003: Informal Consolidation IMPORTANT NOTICE This document is an informal consolidation of the Data Protection Acts 1988 and 2003, prepared by the Office of

More information

MIS Privacy Statement. Our Privacy Commitments

MIS Privacy Statement. Our Privacy Commitments MIS Privacy Statement Our Privacy Commitments MIS Training Institute Holdings, Inc. (together "we") respect the privacy of every person who visits or registers with our websites ("you"), and are committed

More information

Personal Data Protection Policy

Personal Data Protection Policy Personal Data Protection Policy Please take a moment to read the following Policy. If there is anything you do not understand then please contact us. We are committed to protecting privacy. This Personal

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

Identity Cards Act 2006

Identity Cards Act 2006 Identity Cards Act 2006 CHAPTER 15 Explanatory Notes have been produced to assist in the understanding of this Act and are available separately 6 50 Identity Cards Act 2006 CHAPTER 15 CONTENTS Registration

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

Code of Practice on Data Protection for the Insurance Sector

Code of Practice on Data Protection for the Insurance Sector Code of Practice on Data Protection for the Insurance Sector (Approved by the Data Protection Commissioner under Section 13 (2) of the Data Protection Acts, 1988 and 2003) Forward I am very happy to be

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Thompson Jenner LLP Last revised April 2013 Standard Terms of Business

Thompson Jenner LLP Last revised April 2013 Standard Terms of Business The following standard terms of business apply to all engagements accepted by Thompson Jenner LLP. All work carried out is subject to these terms except where changes are expressly agreed in writing. 1

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE Représentant les avocats d Europe Representing Europe s lawyers CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

IT asset disposal for organisations

IT asset disposal for organisations ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE Applicant Privacy Notice for Positions in Willis Companies Located in the European Union and European Economic Area Excluding the United Kingdom ( Applicant Privacy Notice Continental Europe ) This Applicant

More information

INFORMATION PRIVACY STATEMENT

INFORMATION PRIVACY STATEMENT INFORMATION PRIVACY STATEMENT Victoria Police is bound by the Privacy and Data Protection Act 2014 in how it manages personal information. Victoria Police is committed to protecting the personal information

More information

Data Protection Workshop: How the Law Affects You Practice Questions

Data Protection Workshop: How the Law Affects You Practice Questions Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

DATA PROTECTION CORPORATE POLICY

DATA PROTECTION CORPORATE POLICY DATA PROTECTION CORPORATE POLICY Information Management V1.1 03 July 2012 Not protectively marked This policy must be complied with fully by all Members, Officers Agents and Contractors of Plymouth City

More information

Co-operative Energy, Co-operative House Warwick Technology Park, Warwick CV34 6DA.

Co-operative Energy, Co-operative House Warwick Technology Park, Warwick CV34 6DA. Terms and Conditions May 2014 Co-operative Energy: General Terms and Conditions for Domestic Customers Only Applicable from 1st June 2014. Co-operative Energy Limited is a limited liability company registered

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person. PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically

More information